Account Takeover in tooljet/tooljet

Valid

Reported on

May 19th 2022

Description

Hi I found a way to takeover user's account

Proof of Concept

1.Victim A is a member of a organization orgA

2.Attacker create a new account with orgB

3.Invite victimA to orgB

4.Since an admin can access invitation link attacker copy this link and set new password using this link

5.Now logging with victimA's email with newly created password

POC Link :-

https://youtu.be/krzkXTIy5ww

Impact

This will lead to account takeover of any low privileged user or admin user

We are processing your report and will contact the tooljet team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the tooljet team and are waiting to hear back a year ago
We have sent a follow up to the tooljet team. We will try again in 7 days. a year ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. a year ago
tooljet/tooljet maintainer validated this vulnerability a year ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tooljet/tooljet maintainer marked this as fixed in v1.16.0 with commit fadf02 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Distorted_Hacker
a year ago

Researcher

Hi @admin can you please assign a cve

Thanks

Jamie Slome
a year ago

Admin

Sorted 👍

to join this conversation